CN109214973B - Method for generating countermeasure security carrier aiming at steganalysis neural network - Google Patents

Method for generating countermeasure security carrier aiming at steganalysis neural network Download PDF

Info

Publication number
CN109214973B
CN109214973B CN201810984120.8A CN201810984120A CN109214973B CN 109214973 B CN109214973 B CN 109214973B CN 201810984120 A CN201810984120 A CN 201810984120A CN 109214973 B CN109214973 B CN 109214973B
Authority
CN
China
Prior art keywords
steganalysis
neural network
carrier image
image
noise
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810984120.8A
Other languages
Chinese (zh)
Other versions
CN109214973A (en
Inventor
张卫明
俞能海
张逸为
冯晓兵
周文柏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Science and Technology of China USTC
Original Assignee
University of Science and Technology of China USTC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Science and Technology of China USTC filed Critical University of Science and Technology of China USTC
Priority to CN201810984120.8A priority Critical patent/CN109214973B/en
Publication of CN109214973A publication Critical patent/CN109214973A/en
Application granted granted Critical
Publication of CN109214973B publication Critical patent/CN109214973B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06TIMAGE DATA PROCESSING OR GENERATION, IN GENERAL
    • G06T1/00General purpose image data processing
    • G06T1/0021Image watermarking
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Artificial Intelligence (AREA)
  • Biomedical Technology (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Image Processing (AREA)
  • Image Analysis (AREA)

Abstract

The invention discloses a method for generating a confrontation safety carrier aiming at a steganalysis neural network, which utilizes a gradient back propagation technology to enable the steganalysis neural network to modify an input image to generate a confrontation sample, adds a regular term into a distortion function to prevent excessive modification, uses random noise to simulate steganalysis information and enables the network to learn the modification position and amplitude for confronting the noise, and generates a stable confrontation sample by adopting a cycle of iterative modification, periodic quantization and effect evaluation. By using the method disclosed in the invention, a given neural network or networks for steganalysis can lose the ability to detect the secret carrier with a great probability.

Description

Method for generating countermeasure security carrier aiming at steganalysis neural network
Technical Field
The invention relates to the technical field of deep learning and information hiding, in particular to a method for generating an confrontation safety carrier aiming at a steganalysis neural network.
Background
In recent years, many advanced steganographic algorithms have been proposed by information hiding researchers to hide secret information into a carrier image to realize covert communication. There are many excellent schemes for embedding secret messages in the spatial or frequency domain, such as HUGO, WOW, S-UNIWARD, HILL, JUNIWARAD and UERD. These methods can minimize heuristically defined embedding distortion while hiding secret information into a given image to reduce statistical detectability.
Steganalysis is an analysis technology aiming at steganography, and for a carrier to be detected, steganalysis work is divided into a plurality of different levels which are mainly divided into: steganographic carrier detection, steganographic algorithm analysis, secret information extraction, steganographic plain acquisition and the like. Wherein the steganographic carrier detection is intended to detect whether the carrier is embedded with secret information; the steganography algorithm analysis is to analyze the secret information embedding method and the embedding rate of the steganography carrier on the basis of the previous step; the task of extracting the secret information is to determine the embedding position of the secret information and extract a steganographic ciphertext on the basis of the previous two steps of work; and finally, the ciphertext is decrypted into the steganographic plaintext, and the steganographic analysis work is completed.
However, the mainstream steganalysis work today focuses on the first step of the analysis process, namely steganographic carrier detection, and mainly studies how to determine with high precision whether the carrier contains secret information, and it is generally assumed that the steganalysis method and the embedding rate are known. At present, the traditional steganalysis method is divided into two steps of high-dimensional feature extraction and machine learning classifier training. Rich Models (RMs) are an excellent set of steganalysis features, usually used for the first step. The model has various versions, and most representative are a rich model in the spatial domain (SRM) and a rich model in the frequency domain (J-SRM). The most common choice classifier for machine learning is the Ensemble Classifier (EC). The combination of SRM and EC can achieve excellent detection performance. Other common steganalysis characteristics include markov, co-occurrence matrix, histogram high-order distance, etc., and many steganalysis algorithms have been developed based on these characteristics: SPAM and CSR exist in the space domain, and the representative characteristics of the frequency domain are PEV, CHEN, CC-CHEN, CC-PEV, DCTR, PHARM, GFR and the like.
Over the past two years, steganalysis based on Convolutional Neural Network (CNN) models has made tremendous progress. Compared with the traditional method, the CNN-based neural network uses various network structures to learn the effective characteristics of the image, so as to distinguish the secret-carrying image from the non-secret-carrying image. Qian uses a CNN structure with a gaussian function to construct a steganalysis model. Xu designs another CNN structure with a hyperbolic activation function. Wu proposes a CNN model that makes full use of the residual network for image steganalysis. Ye proposes a CNN model, the first layer of which is initialized to a high-pass filter bank used in SRM and introduces a new activation function TLU and a selective channel sensing scheme based on steganalysis of CNN. Ye and Wu networks outperform SRM + EC.
Thus, deep-learning steganalysis has become a serious challenge for steganography, with the goal of removing the threat of deep-learning steganalysis to steganography, noting that the tasks of neural networks for steganalysis and networks for object classification are very similar, both in terms of the structure of the networks and the number of classification objects. Steganalysis is a binary classification problem, and object classification has multiple classification labels. The countermeasure sample technique is a technique that can spoof a neural network. The challenge samples themselves are samples that add elaborate small challenge noise to the input to trick the neural network into producing an incorrect output. Szegedy and Goodfellow do pioneering work for generation of countermeasure samples, and a countermeasure sample construction method based on neural network gradient is provided, the method can effectively mislead the neural network to generate a judgment result obviously inconsistent with vision, but the method can modify an image in a large area, the modification is only related to gradient symbols, and information of gradient amplitude is not utilized; the method aims to ensure the accuracy of misleading the modified image to the neural network, and does not relate to the robustness of the modified image to the neural network, so that the method cannot be directly applied to the countermeasure of the steganalysis neural network.
Disclosure of Invention
The invention aims to provide a method for generating an antagonistic safe carrier aiming at a steganalysis neural network, which can lead a given steganalysis neural network or networks to lose the capability of detecting a carrier with a great probability and has higher robustness.
The purpose of the invention is realized by the following technical scheme:
a method of generating an antagonistic security vector for a steganalysis neural network, comprising:
step A, adding random steganography noise to an original carrier image by using a countermeasure sample technology to obtain a noisy image;
step B, inputting the image with noise into a given steganalysis neural network, calculating and modifying the gradient information of the original carrier image by calculating a loss function of the steganalysis neural network, further obtaining the counternoise, and then superposing the counternoise on the original carrier image to obtain a final enhanced carrier image of the iteration;
and step C, performing performance test on the enhanced carrier image by using a given steganalysis neural network, assigning the enhanced carrier image to the original carrier image, repeatedly executing the steps A to C, limiting the iteration times to K times, and selecting the enhanced carrier image with the best performance as an anti-safety carrier by combining performance test results after the iteration times are K times.
According to the technical scheme provided by the invention, the safety carrier for specifying one or more steganalysis neural networks is generated, and the generated safety carrier is difficult to be perceived by the neural networks.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.
Fig. 1 is a flowchart of a method for generating an anti-secure bearer for a neural network for steganalysis according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of calculating gradients for a multi-neural network according to an embodiment of the present invention;
fig. 3 is a schematic diagram of an error rate of network identification in an experiment provided by an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention are clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
The embodiment of the invention provides a method for generating an anti-security carrier aiming at a steganalysis neural network, namely, anti-noise and embedded messages are added to an original carrier image. The enhanced carrier C 'is first constructed by adding the counternoise to the original carrier image C, and then the message m is embedded in C' to obtain S. In this way, the recipient can successfully extract m from S. The method of the invention can make the enhanced carrier C' robust enough to resist the influence of the message embedding process, so that S can still be misjudged as a carrier image without steganography by the deep learning classifier. The method for generating the enhanced vector mainly comprises the following steps:
step A, adding random steganography noise to an original carrier image by using a countermeasure sample technology to obtain a noisy image;
step B, inputting the image with noise into a given steganalysis neural network, calculating and modifying the gradient information of the original carrier image by calculating a loss function of the steganalysis neural network, further obtaining the counternoise, and then superposing the counternoise on the original carrier image to obtain a final enhanced carrier image of the iteration;
and step C, performing performance test on the enhanced carrier image by using a given steganalysis neural network, assigning the enhanced carrier image to the original carrier image, repeatedly executing the steps A to C, limiting the iteration times to K times, and selecting the enhanced carrier image with the best performance as an anti-safety carrier by combining performance test results after the iteration times are K times.
For ease of understanding, the above process is described in detail below with reference to fig. 1.
Step 11, recording the original carrier image as C, and generating the amplitude of [ -1,1 [ -1 [ ]]A random steganography noise matrix is arranged between the original carrier image C and the original carrier image C, and the noise is superposed on the original carrier image C to obtain a noisy image Cn
The scheme is an iteration in the embodiment of the inventionThe process, for the ith iteration, the random steganographic noise matrix is marked as niAnd the resulting noisy image is recorded as
Figure RE-GDA0001874390860000041
Step 12, adding CnThe method is used as input and put into a given steganalysis neural network, network parameters are fixed, and the network is made to perform back propagation by taking 'non-secret-carrying' as a real label y to obtain a modification gradient eta of an input image.
In the embodiment of the invention, two cases of a single steganalysis neural network and a plurality of steganalysis neural networks are considered.
Assuming that the number of given steganalysis neural networks is h;
when h is 1, i.e. a single steganalysis neural network is given, the formula for calculating the gradient η of the modified original carrier image is as follows:
Figure RE-GDA0001874390860000042
where θ represents a given steganalysis neural network
Figure RE-GDA0001874390860000043
C represents the original carrier image and y represents the real label;
Figure RE-GDA0001874390860000044
is a neural network loss function with theta as a parameter, C as an input and y as a label;
Figure RE-GDA0001874390860000045
representing pairs with C as an argument
Figure RE-GDA0001874390860000046
Derivation is carried out;
when h >1, i.e. given a number of steganalysis neural networks, a joint loss function is first calculated.
As shown in fig. 2, the various networks are merged together to form a network withJoint network N of one and the same input and several outputsNmulTaking the weighted sum of the cross entropy of the output of each steganalysis neural network and the real label as a loss function,
Figure RE-GDA0001874390860000047
as a regularization term, a joint loss function totallloss of all the steganalysis neural networks is obtained:
Figure RE-GDA0001874390860000048
wherein, { loss1,loss2,...,losshIs the loss function without regularization term for each steganalysis neural network, { α12,...,αhThe weight of each steganalysis neural network loss function is a regular term
Figure RE-GDA0001874390860000049
The coefficient of (a);
regularization term
Figure RE-GDA00018743908600000410
Expressed as:
Figure RE-GDA00018743908600000411
where T is the number of pixels that need to be modified, ΔiIs the cumulative competing noise after the ith iteration.
The parameter λ is set to T/number of pixels of the input image, and the degree of modifying the image is determined by controlling the parameter λ. Finally, obtaining the gradient information of the corrected original carrier image under the lambda setting:
Figure RE-GDA0001874390860000051
wherein L isNmul(θ, C, y) ═ totaloss denotes a joint loss function,
Figure RE-GDA0001874390860000052
represents C as an independent variable pair LNmul(θ, C, y) derivation.
Step 13, multiplying the learning rate epsilon as a gradient adjustment amplitude coefficient by eta to obtain the antagonistic noise nadNamely, the following steps are provided:
nad=η×∈;
step 14, superimposing the counternoise on the original carrier image C to obtain the preliminary enhanced carrier C "of the current iteration, that is:
C”=C+nad
meanwhile, the obtained C "is floating-point data, and in order to store the C" as an image and still be valid, the numerical value of each pixel in the C "is rounded by using a round () function, and the boundary of the pixel value is adjusted within the range of [0,255], so that the final enhanced carrier image C' (which may be referred to as an enhanced carrier image for short) of the iteration is obtained.
Because the scheme of the embodiment of the invention relates to multiple iterations, but because the final enhanced carrier image of each iteration does not participate in other calculations but is directly assigned to the original carrier image C, the final enhanced carrier image of each iteration can be marked as C' without distinguishing expression forms.
Step 15, analyzing the neural network by using steganalysis
Figure RE-GDA0001874390860000053
The enhanced carrier C' was subjected to a performance test.
When h is 1, a given steganalysis neural network is used
Figure RE-GDA0001874390860000054
Generating Q sets of random Noise n ═ n1’,n2’,…,nQ'} superimposing the Noise in Noise on the enhanced carrier image C' for the i-th group of Noise n, respectivelyiTo say, get the ith group of carrier images with noise
Figure RE-GDA0001874390860000055
Figure RE-GDA0001874390860000056
Analyzing neural networks using steganalysis
Figure RE-GDA0001874390860000057
Testing
Figure RE-GDA0001874390860000058
Successfully deceiving steganography analysis neural network if the proportion of gamma exceeds gamma in all noisy carrier images
Figure RE-GDA0001874390860000059
The network is identified as an un-encrypted image by the network, and the apparent enhanced carrier image reaches the expected target through the performance test;
when h is generated>1, performing performance test on the enhanced carrier image C' by using each steganalysis neural network in the same way as that when h is 1, fusing the test results of all steganalysis neural networks, and judging the ith group of noisy carrier image when all steganalysis neural networks judge
Figure RE-GDA00018743908600000510
Considering that the ith group of carrier images with noises passes the performance test when the images are not secret-carrying images; similarly, when the proportion of all noisy carrier images that exceeds γ passes the performance test, the visually enhanced carrier image has reached the intended target;
exemplarily, assuming that h is 3, all 3 steganalysis neural networks perform performance testing on the enhanced carrier image C' in the same manner as that when h is 1, and fuse the 3 performance testing results; in the performance test, it is assumed that 5 sets of random noise are generated and superimposed on the enhanced carrier image C', respectively, for the first set of noisy carrier images
Figure RE-GDA0001874390860000061
If all 3 steganalysis neural networks judge that the secret image is not carried, the first group of carrier images with noise is considered
Figure RE-GDA0001874390860000062
Passing the performance test, if the proportion of the 5 sets of noisy carrier images that exceeds γ passes the performance test, the enhanced carrier image C' has reached the intended target, i.e., passed the performance test. It should be noted that the specific value of γ can be set by those skilled in the art according to actual situations or needs, and the present invention is not limited to the value thereof.
If the enhanced carrier image obtained by the last iteration does not pass the performance test, correcting and judging the weight of the steganalysis neural network loss function with the lowest non-secret-carrying average probability, setting the non-secret-carrying average probability as rho, and setting a corresponding steganalysis neural network loss function weight correction formula as follows:
α’=α+1-ρ;
and B, during the next iteration, recalculating the joint loss function by combining the corrected weight of the steganalysis neural network loss function in the stage B.
And step 16, assigning the enhanced carrier image C' to the original carrier image C, regenerating the random noise n, and repeating the process, wherein the upper limit of the iteration times is K times.
Taking the k-th iteration as an example,
when h is 1, the overall adjustment matrix of the original carrier image C
Figure RE-GDA0001874390860000063
Calculated by:
Figure RE-GDA0001874390860000064
when h is generated>1, overall adjustment matrix of the original carrier image C
Figure RE-GDA0001874390860000065
Calculated by:
Figure RE-GDA0001874390860000066
wherein the content of the first and second substances,
Figure RE-GDA0001874390860000067
e is the learning step length; deltaiFor cumulative competing noise (i.e. delta) after the ith iterationiAll antagonistic noise n after the ith iterationadSum, e.g. Δ if 1 st iterationiI.e. n calculated in the 1 st iterationad(ii) a If it is iteration 3, ΔiI.e. three n obtained by the 1 st to 3 rd iterative calculationadSum), T is the number of pixels to be modified, and is a regular term
Figure RE-GDA0001874390860000068
The coefficient of (a); l isN(θ,C+Δi+niY) is a parameter of (C + Delta)i+ni) A neural network loss function of input and y as a label;
Figure RE-GDA0001874390860000069
is represented by (C + Delta)i) Is an independent variable pair LN(θ,C+Δi+niY) derivation; l isNmul(θ,C+Δi+niY) is a parameter of (C + Delta)i+ni) A joint loss function of h neural networks which are input and y is a label;
Figure RE-GDA00018743908600000610
Figure RE-GDA00018743908600000611
is a pair of variables L of (C + Δ i)Nmulθ, C + Δ i + ni, y is derived; ni is random steganography noise of the ith iteration;
the preliminary enhanced carrier image C "after the kth iteration is recorded as:
Figure RE-GDA00018743908600000612
similarly, after rounding and pixel value boundary adjustment are performed on the preliminary enhanced carrier image C ″, a final enhanced carrier image C' after the kth iteration is obtained.
As can be understood by those skilled in the art, since the above-mentioned scheme of the present invention is an iterative calculation process, the enhanced carrier image C' obtained after each iteration is assigned to the original carrier image C, so that the k-th iteration is performed
Figure RE-GDA0001874390860000071
The original carrier image C referred to in the formula is not the original carrier image of the initial stage, but an enhanced carrier image obtained after the k-1 iteration.
In the above scheme of the embodiment of the present invention, in order to control the excessive modification introduced in the process of generating the security carrier so that the image deviates from the natural image to a large extent, L is introduced in the loss function2The norm is used as a regular term to control the modification amplitude in the generation process; let T denote the number of pixels that need to be modified, when L2When the loss exceeds T, the modification of the image is controlled, using a modification vector L with a max function2Norm as normalizer, expressed as
Figure RE-GDA0001874390860000072
And after K iterations are completed, selecting the enhanced carrier image with the best performance as an anti-safety carrier by combining performance test results:
if all performance tests fail in all K times of iteration processes, taking the enhanced carrier image with the highest success rate in the performance test process as an anti-safety carrier;
and if the enhanced carrier image obtained in the K-th iteration passes the performance test, the enhanced carrier image is used as a countermeasure security carrier.
Relevant parameters in the implementation process of the invention can be properly adjusted within a certain range, but the invention is to protect the enhanced vector generation method, namely different experimental parameters are still in the framework of the method provided by the invention.
In order to illustrate the performance of the above-described scheme of the present invention, related experiments were also performed.
Experimental parameter referencing: n is [ -1,1 ] of the same size as the input image]A random integer matrix within a range; the number of the steganalysis neural networks is 3, and the steganalysis neural networks used in the experiment are a Wu network, a Ye network and a Xu network respectively (namely h is 3); take 1X 10-4(ii) a E is that the learning rate is 1.0; k is taken as 30; q is 300; gamma is 90%; the steganography method uses the WOW algorithm at an embedding rate of 0.4 bpp. The experimental results are shown in fig. 3, where the meaning of the multi-network result is the probability that three networks are simultaneously judged as "not carrying secret".
The previous steganography work is seriously threatened by the steganography analysis of the neural network, and the enhanced carrier generation method for the steganography analysis neural network provided by the invention can effectively resist the steganography analysis of the neural network, so that the alarm-missing rate of the neural network is greatly improved. The invention can construct a safe carrier aiming at a plurality of steganalysis neural networks and simultaneously control the modifier introduced in the process of generating the carrier. Experimental results show that the method has obvious effect on resisting three mainstream steganalysis networks.
The embodiment of the invention designs a method for generating the enhanced steganographic carrier according to the three most advanced steganographic analysis networks, and experimental results show that the enhanced carrier generated by the method can effectively resist the most advanced steganographic analysis networks and make a contribution to steganographic security.
Through the above description of the embodiments, it is clear to those skilled in the art that the above embodiments can be implemented by software, and can also be implemented by software plus a necessary general hardware platform. With this understanding, the technical solutions of the embodiments can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions for enabling a computer device (which can be a personal computer, a server, or a network device, etc.) to execute the methods according to the embodiments of the present invention.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (8)

1. A method for generating an anti-secure bearer for a steganalysis neural network, comprising:
step A, adding random steganography noise to an original carrier image by using a countermeasure sample technology to obtain a noisy image;
step B, inputting the image with noise into a given steganalysis neural network, calculating and modifying the gradient information of the original carrier image by calculating a loss function of the steganalysis neural network, further obtaining the counternoise, and then superposing the counternoise on the original carrier image to obtain a final enhanced carrier image of the iteration;
step C, performing performance test on the enhanced carrier image by using a given steganalysis neural network, meanwhile, assigning the enhanced carrier image to the original carrier image, and repeatedly executing the steps A to C, wherein the upper limit of the iteration times is K times, and after the iteration times are K times, selecting the enhanced carrier image with the best performance as an anti-safety carrier by combining performance test results;
calculating gradient information for modifying the original carrier image by calculating a loss function of the steganalysis neural network comprises the following steps:
assuming that the number of given steganalysis neural networks is h;
when h is 1, i.e. a single steganalysis neural network is given, the formula for calculating the gradient η of the modified original carrier image is as follows:
Figure FDA0002473351180000011
where θ represents a given steganalysis neural network
Figure FDA0002473351180000012
C represents a network parameter ofOriginal carrier image, y represents a real label;
Figure FDA0002473351180000013
is a neural network loss function with theta as a parameter, C as an input and y as a label;
Figure FDA0002473351180000014
representing pairs with C as an argument
Figure FDA0002473351180000015
Derivation is carried out;
when h >1, namely a plurality of steganalysis neural networks are given, the formula for calculating the gradient eta of the modified original carrier image is as follows:
Figure FDA0002473351180000016
wherein L isNmul(θ, C, y) = Totallos represents joint loss function,
Figure FDA0002473351180000017
represents C as an independent variable pair LNmul(θ, C, y) derivation.
2. The method of claim 1, wherein the applying the robust sample technique to add noise to the original carrier image comprises:
for the ith iteration, for the original carrier image C, the amplitude is generated to be [ -1,1 [)]Random steganographic noise matrix n of the same size therebetweenin, superposing the noise on the original carrier image C to obtain the image with noise
Figure FDA0002473351180000018
3. The method of claim 1, wherein the computing of the joint loss function comprises:
taking the weighted sum of the cross entropy of the output of each steganalysis neural network and the real label as a loss function,
Figure FDA0002473351180000019
as a regularization term, a joint loss function totallloss of all the steganalysis neural networks is obtained:
Figure FDA0002473351180000021
wherein, { loss1,loss2,...,losshIs the loss function without regularization term for each steganalysis neural network, { α1,α2,...,αhThe weight of each steganalysis neural network loss function is a regular term
Figure FDA0002473351180000028
The coefficient of (a);
regularization term
Figure FDA0002473351180000022
Expressed as:
Figure FDA0002473351180000023
where T is the number of pixels that need to be modified, ΔiIs the cumulative competing noise after the ith iteration.
4. The method of claim 1, wherein the secure vector generation method for steganalysis neural networks,
taking the learning rate epsilon as a gradient adjustment amplitude coefficient, multiplying the gradient eta by the learning rate epsilon to obtain the antagonistic noise nad:nad=η×∈;
Will then counter the noise nadSuperimposing the image onto the original carrier image C to obtain the iterationPreliminary enhanced carrier image C ": c ═ C + nad
The preliminary enhanced carrier image C ″ is floating-point data, the numerical value of each pixel in the preliminary enhanced carrier image C ″ is rounded using a round () function, and the boundary of the pixel value is adjusted within the range of [0,255], so that the final enhanced carrier image C' of the iteration is obtained.
5. The method for generating secure countermeasure bearer for steganalysis neural network according to claim 1 or 3 or 4, characterized in that the step of performing performance test on the enhanced bearer image by using the given steganalysis neural network includes:
when h is 1, a given steganalysis neural network is used
Figure FDA0002473351180000029
Generating Q sets of random Noise n ═ n1’,n2’,...,nQ'} superimposing the Noise in Noise on the enhanced carrier image C' for the i-th group of Noise n, respectivelyiTo say, get the ith group of carrier images with noise
Figure FDA0002473351180000024
Figure FDA0002473351180000025
Analyzing neural networks using steganalysis
Figure FDA00024733511800000210
Testing
Figure FDA0002473351180000026
Successfully deceiving steganography analysis neural network if the proportion of gamma exceeds gamma in all noisy carrier images
Figure FDA00024733511800000211
Network identified as such by the networkIf the non-secret-carrying image passes the performance test, the apparent enhancement carrier image already reaches the expected target;
when h is more than 1, performing performance test on the enhanced carrier image C' by using each steganalysis neural network in the same way as when h is 1, fusing the test results of all steganalysis neural networks, and judging the ith group of noisy carrier image by all steganalysis neural networks when all the steganalysis neural networks
Figure FDA0002473351180000027
Considering that the ith group of carrier images with noises passes the performance test when the images are not secret-carrying images; similarly, when the proportion of all noisy carrier images that exceeds γ passes the performance test, the visually enhanced carrier image has reached the intended goal.
6. The method of claim 1, wherein the selecting the best-performing enhanced bearer image as the secure bearer comprises:
if all performance tests fail in all K times of iteration processes, taking the enhanced carrier image with the highest success rate in the performance test process as an anti-safety carrier;
and if the enhanced carrier image obtained in the K-th iteration passes the performance test, the enhanced carrier image is used as a countermeasure security carrier.
7. The method for generating secure countermeasure vector for neural network of steganalysis according to claim 3 or 4,
when h is more than 1, if the enhanced carrier image obtained by the last iteration does not pass the performance test, correcting and judging the weight of the steganalysis neural network loss function with the lowest non-secret-carrying average probability, setting the non-secret-carrying average probability as rho, and setting a corresponding steganalysis neural network loss function weight correction formula as follows:
α’=α+1-ρ;
and B, during the next iteration, recalculating the joint loss function by combining the corrected weight of the steganalysis neural network loss function in the stage B.
8. The method of claim 1, wherein the secure vector generation method for steganalysis neural networks,
for the kth iteration:
when h is 1, the overall adjustment matrix of the original carrier image C
Figure FDA0002473351180000031
Calculated by:
Figure FDA0002473351180000032
when h >1, the overall adjustment matrix of the original carrier image C
Figure FDA0002473351180000033
Calculated by:
Figure FDA0002473351180000034
wherein the content of the first and second substances,
Figure FDA0002473351180000035
e is the learning step length; deltaiT is the number of pixels to be modified and is a regular term for the accumulated countermeasure noise after the ith iteration
Figure FDA00024733511800000310
The coefficient of (a); l isN(θ,C+Δi+niY) is a parameter of (C + Delta)i+ni) A neural network loss function of input and y as a label;
Figure FDA0002473351180000036
is represented by (C + Delta)i) Is an independent variable pair LN(θ,C+Δi+niY) solvingLeading; l isNmul(θ,C+Δi+niY) is a parameter of (C + Delta)i+ni) A joint loss function of h neural networks which are input and y is a label;
Figure FDA0002473351180000037
Figure FDA0002473351180000038
is represented by (C + Delta)i) Is an independent variable pair LNmul(θ,C+Δi+niY) derivation; n isiRandom steganography noise for the ith iteration;
the preliminary enhanced carrier image C "after the kth iteration is recorded as:
Figure FDA0002473351180000039
and obtaining a final enhanced carrier image C 'after the kth iteration by rounding the preliminary enhanced carrier image C' and adjusting the pixel value boundary.
CN201810984120.8A 2018-08-24 2018-08-24 Method for generating countermeasure security carrier aiming at steganalysis neural network Active CN109214973B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810984120.8A CN109214973B (en) 2018-08-24 2018-08-24 Method for generating countermeasure security carrier aiming at steganalysis neural network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810984120.8A CN109214973B (en) 2018-08-24 2018-08-24 Method for generating countermeasure security carrier aiming at steganalysis neural network

Publications (2)

Publication Number Publication Date
CN109214973A CN109214973A (en) 2019-01-15
CN109214973B true CN109214973B (en) 2020-10-27

Family

ID=64985509

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810984120.8A Active CN109214973B (en) 2018-08-24 2018-08-24 Method for generating countermeasure security carrier aiming at steganalysis neural network

Country Status (1)

Country Link
CN (1) CN109214973B (en)

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109934761B (en) * 2019-01-31 2022-11-29 中山大学 JPEG image steganalysis method based on convolutional neural network
CN109948663B (en) * 2019-02-27 2022-03-15 天津大学 Step-length self-adaptive attack resisting method based on model extraction
CN110334805B (en) * 2019-05-05 2022-10-25 中山大学 JPEG domain image steganography method and system based on generation countermeasure network
CN110298384B (en) * 2019-06-03 2021-03-12 西华大学 Countermeasure sample image generation method and apparatus
CN110889797B (en) * 2019-10-15 2021-06-08 浙江大学 Depth self-adaptive image hiding method based on confrontation sample generation
CN111177757A (en) * 2019-12-27 2020-05-19 支付宝(杭州)信息技术有限公司 Processing method and device for protecting privacy information in picture
CN113096023B (en) * 2020-01-08 2023-10-27 字节跳动有限公司 Training method, image processing method and device for neural network and storage medium
CN111131658B (en) * 2020-01-19 2021-08-24 中国科学技术大学 Image steganography method, device, electronic equipment and medium
WO2021189364A1 (en) 2020-03-26 2021-09-30 深圳先进技术研究院 Method and device for generating adversarial image, equipment, and readable storage medium
CN111768325B (en) * 2020-04-03 2023-07-25 南京信息工程大学 Security improvement method based on generation of countermeasure sample in big data privacy protection
CN111598227B (en) * 2020-05-20 2023-11-03 字节跳动有限公司 Data processing method, device, electronic equipment and computer readable storage medium
CN112019700B (en) * 2020-08-14 2022-03-29 深圳大学 Method for preventing secret-carrying image from being detected, intelligent terminal and storage medium
CN112035834A (en) * 2020-08-28 2020-12-04 北京推想科技有限公司 Countermeasure training method and device, and application method and device of neural network model
CN112884628B (en) * 2021-01-13 2024-04-02 深圳大学 Attack method of image steganalysis model for airspace enrichment model

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106228505A (en) * 2016-07-15 2016-12-14 广东技术师范学院 A kind of robust general steganalysis method of picture material perception
CN107563155A (en) * 2017-08-08 2018-01-09 中国科学院信息工程研究所 A kind of safe steganography method and device based on generation confrontation network
CN108346125A (en) * 2018-03-15 2018-07-31 中山大学 A kind of spatial domain picture steganography method and system based on generation confrontation network

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102930495B (en) * 2012-10-16 2015-01-21 中国科学院信息工程研究所 Steganography evaluation based steganalysis method
US9197655B2 (en) * 2013-07-16 2015-11-24 Bank Of America Corporation Steganography detection
CN106251375B (en) * 2016-08-03 2020-04-07 广东技术师范学院 Deep learning stack type automatic coding method for general steganalysis
CN107945204B (en) * 2017-10-27 2021-06-25 西安电子科技大学 Pixel-level image matting method based on generation countermeasure network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106228505A (en) * 2016-07-15 2016-12-14 广东技术师范学院 A kind of robust general steganalysis method of picture material perception
CN107563155A (en) * 2017-08-08 2018-01-09 中国科学院信息工程研究所 A kind of safe steganography method and device based on generation confrontation network
CN108346125A (en) * 2018-03-15 2018-07-31 中山大学 A kind of spatial domain picture steganography method and system based on generation confrontation network

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
EXPLAINING AND HARNESSING ADVERSARIAL EXAMPLES;Ian J. Goodfellow 等;《arXiv:1412.6572v3》;20150320;1-11 *
Intriguing properties of neural networks;Christian Szegedy 等;《arXiv:1312.6199v4》;20140219;1-10 *
针对特定测试样本的隐写分析方法;张逸为 等;《软件学报》;20171204;第29卷(第4期);987-1001 *

Also Published As

Publication number Publication date
CN109214973A (en) 2019-01-15

Similar Documents

Publication Publication Date Title
CN109214973B (en) Method for generating countermeasure security carrier aiming at steganalysis neural network
CN113554089B (en) Image classification countermeasure sample defense method and system and data processing terminal
CN111753881B (en) Concept sensitivity-based quantitative recognition defending method against attacks
CN113538202B (en) Image steganography method and system based on generation type steganography contrast
WO2018156478A1 (en) Image recognition method and apparatus
Singh et al. Steganalysis of digital images using deep fractal network
CN112260818B (en) Side channel curve enhancement method, side channel attack method and side channel attack device
CN111507386A (en) Method and system for detecting encrypted communication of storage file and network data stream
JP2021521566A (en) A method of learning and testing a data embedding network that synthesizes original data and mark data to generate marked data, and a learning device and test device using it.
CN111222583B (en) Image steganalysis method based on countermeasure training and critical path extraction
He et al. Finger vein image deblurring using neighbors-based binary-GAN (NB-GAN)
Guo et al. A White-Box False Positive Adversarial Attack Method on Contrastive Loss Based Offline Handwritten Signature Verification Models
CN113298689A (en) Large-capacity image steganography method
CN116188439A (en) False face-changing image detection method and device based on identity recognition probability distribution
CN111597847A (en) Two-dimensional code identification method, device and equipment and readable storage medium
Geradts et al. Interpol review of forensic video analysis, 2019–2022
CN116258867A (en) Method for generating countermeasure sample based on low-perceptibility disturbance of key region
CN113570564B (en) Multi-definition fake face video detection method based on multi-path convolution network
CN115936961A (en) Steganalysis method, device and medium based on few-sample contrast learning network
CN113487506A (en) Countermeasure sample defense method, device and system based on attention denoising
Wu et al. Giid-net: Generalizable image inpainting detection network
CN114359009A (en) Watermark embedding method, watermark embedding network construction method and system of robust image based on visual perception and storage medium
CN114332982A (en) Face recognition model attack defense method, device, equipment and storage medium
Dhar et al. Detecting deepfake images using deep convolutional neural network
Gajani et al. Guarding Against Bots with Art: NST-based Deep Learning Approach for CAPTCHA Verification

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant